With COVID-19 being a global pandemic, many organizations have decided to begin broad telecommuting policies to assist with social-distancing. Malicious actors, both cybercriminals and Nation-state sponsored, have begun to utilize the increased focus on distributed information regarding this virus to deliver malware by way of phishing and drive-by download. This report will cover our observations and analysis. Over the last 30 days, there has been an increase in cybercriminals and nation-state sponsored adversaries leveraging the SARS-CoV2 (aka: COVID-19, Coronavirus) events as part of their malicious campaigns.
- Campaigns are often leveraging commodity and well-document malware strains or common, older vulnerabilities
- Threats are not limited to malware, but also attempt at disrupting social order through disinformation and fearmongering
- Industries at most risk from cyber threats include healthcare, government, retail, and transportation
As typical, phishing lures and other means of social engineering using major current events and geopolitical issues are commonly leveraged in phishing campaigns and the COVID-19 pandemic is no exception. Samples analyzed by multiple researchers show that many lures and malicious files were observed to be common malware families. There have also been observations of new strains of ransomware related to the ongoing COVID-19 issue.
A ransomware strain dubbed CoronaVirus Ransomware was observed distributed by unspecified/unattributed actors. Based off a few of the endpoint processes that are executed by this ransomware strain, it shows that not only does it look to behave similarly to other ransomware strains (e.g: deletes shadow volumes, deletes backups, checks geolocation based off IP), but also appeared to have an FTP file upload component. Another possible version of the CoronaVirus Ransomware was more closely related to a wiper malware than strictly encryption.
REvil/Sodinokibi Ransomware operators claimed they have stolen files from a US biotechnology company, 10x Genomics. As of 13 March 2020, the actors threatened to publish the leaked data if the ransomware payment is not made. A first glance of the screenshot of the data appeared to include account credentials, employee email addresses and phone numbers, internal project data, and corporate financial documents.
Fake coronavirus maps and trackers have been appearing on mobile application stores as well as appearing as ad banners on browser sites. These fake trackers have been observed to be compromised with common and commodity malware, like AZOrult.
Phishing lures with malicious attachments with documents associated with treatments and statistics about the coronavirus were analyzed by researchers, which resulted in malicious spyware and keyloggers like Hawkeye being installed on victims’ systems.
The ParallaxRAT was delivered via a Coronavirus-themed lure, seen and reported in mid-February 2020.
Nation-State Sponsored Activity
Nation-state sponsored activity is also being observed, primarily via phishing. Nation-state groups assessed to be leveraging the COVID-19 topic are reported to be associated with Russia, North Korea, and China, and have been observed targeting organizations and victims in Vietnam, South Korea, Mongolia, and Ukraine. The adversary group associated with Chinese activity, Vicious Panda, was reported by researchers to exploit the “equation editor vulnerabilities” in Microsoft Word as part of the recent COVID-19 -themed campaign. The most common exploited Equation Editor vulnerability that Fidelis has observed, and other third-party research teams have reported as being actively exploited, is CVE-2017-11882, Microsoft Office Equation Editor Buffer Overflow vulnerability.
Disinformation and Psychological Trends
Not only are phishing and malware tactics used, but a strong disinformation and psychological messaging campaign was also reported to hit Ukraine in February 2020. A spoof email posing to come from Ukraine’s health ministry was sent to all recipients in the Ukraine’s Ministry of Health’s contact list claiming that there were five (5) confirmed cases of COVID-19 in the country. This email was sent the same day that evacuees from China arrived into the country. The news circulated and resulted in panicking and violence in a small town where the evacuees arrived. It is not confirmed which group or Adversary was involved in this; however, the Security Service of Ukraine did state that the email originated from outside of the country.
Fidelis TRT assesses with high confidence that the government and healthcare sectors are at a higher risk of targeting relative to other industries. Organizations like hospitals, research institutes, pharmaceutical and biotechnology companies, emergency services, local and municipal governments, civil service departments, and health and welfare ministries and departments that are actively engaged and involved in managing public order and responding to the situation may be prime targets for adversaries to disrupt or siphon sensitive data from. Secondary targets include organizations within the transportation, and retail sectors, as disruption in essential services and supplies could exasperate the stress on civilians. Impacted organizations may be more willing to pay high ransom amounts for decryption of files or to prevent data leakage. People may also be more sensitive to false information given the current information-overload environment, which not only may have physical and societal impact, but from a cyber and corporate security perspective could lead to operational security and security-awareness lapses, resulting in an increase in compromises of personal and corporate systems.
Fidelis currently has detections in place for its customers to detect for many strains of commodity malware, ransomware behavior, and vulnerability exploit attempts. These include the above-mentioned threats like AZORult, Hawkeye, REvil and other common ransomware strains based off popular endpoint behaviors, as well as older and popular vulnerabilities likes CVE-2017-11882. TRT currently advises using the same operational security and vigilant protocol when dealing with suspicious emails, by not opening any attachments or clicking on links sent by unknown or suspicious senders, and to report any suspicious activity to your organization’s IT or information security department. The current situation, along with the information-overload environment that this event has created, it is crucial to ensure that well-known and reputable sources are used for any information and updates.